Solved: Network Device and Endpoints are not showing up on the ISE GUI

CasualUser01 · ‎04-09-2022

Hello everyone,

i am currently deploying cisco ISE and already facing a few problems. The cisco ise and authenticator switch are in the same VLAN but somehow i cant see the switch on the ISE GUI. Same with the connected endpoints on the switch. I´m using the cisco catalyst 2960-X with the Cisco IOS 15.2.2E8bin. I will attach some screenshots of my switch config for the communication with the ISE server. I even can´t see anly logs if i go to the live section on the GUI. Could one reason be that i haven´t configured a dns name yet for the ise server or is that not necessary? I hope someone can help me out, its getting fairly frustrating.

PS:

I also cant get rid of the "authentication open" config on the switch ports. I once enabled them but couldnt find a command that deactivates it.

Rob Ingram · ‎04-09-2022

@CasualUser01 but are the RADIUS requests coming from the mgmt interface? You can specify the RADIUS source using "ip radius source-interface XXXX"

Please provide the full switch configuration.

If you run the command "show authentication session" does it even indicate a session has even started? provide the output for review.

Run "show aaa server" and confirm the RADIUS server is not dead/down.

View solution in original post

MHM Cisco World · ‎04-09-2022

You use name of ISE and sw need to resolve ip before start connect to it.

Are you confog any dns that sw use?

CasualUser01 · ‎04-09-2022

I configured a DNS server for the switch, but I realized that I don't have a DNS record for the ise server. Could that be the problem or does this have nothing to do with the connection since I'm also giving the IP of the ise server.

MHM Cisco World · ‎04-09-2022

ISE server is same as SVI ip address subnet?

Can you ping ISE from SVI of SW?

CasualUser01 · ‎04-09-2022

Hi, yes i can ping the switch management interface from the ise server.

MHM Cisco World · ‎04-09-2022

I check your conifg,

Auth mode open

You need to delete this config

This mode is called monitor mode ise just recored account.

@Rob Ingram I correct my comment.

Rob Ingram · ‎04-09-2022

@MHM Cisco World that's not correct, in "open" mode the switch still sends authentication to ISE. Open mode is used in monitor mode, if authentication/authorisation fails the user can still have network access.

That command is fine in this scenario if the user intends to run in open mode.

CasualUser01 · ‎04-09-2022

I also wanted to delete this config but as i mentioned in the thread above, i couldnt find a command that disables the authentication open mode

MHM Cisco World · ‎04-09-2022

Does SW accpet below command?

authentication display legacy

if not then your run new-style and all command you enter is not run in new-style.

Need to revert to legacy then command can run.

Rob Ingram · ‎04-09-2022

@CasualUser01 I don't think you have the switch defined in ISE as a Network Device under Administration > Devices > Network Devices? here you specify the IP address and shared secret (as defined on the switch)

Refer to the ISE wired guide for more information on switch configuration

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

CasualUser01 · ‎04-09-2022

Hey Rob,

thanks for your reply. I have configured the switch on the ise server as a network device with the IP of the management interface. I also followed the wired access control guide that you posted and still had the same issues and I don't know why.

Rob Ingram · ‎04-09-2022

@CasualUser01 but are the RADIUS requests coming from the mgmt interface? You can specify the RADIUS source using "ip radius source-interface XXXX"

Please provide the full switch configuration.

If you run the command "show authentication session" does it even indicate a session has even started? provide the output for review.

Run "show aaa server" and confirm the RADIUS server is not dead/down.

CasualUser01 · ‎04-09-2022

I configured the radius source interface as VL120 since ISE and the switch are in the same VLAN. Unfortunately i cant show the config now since im home and havent configured ssh on the switch yet, but i can say that if i do show aaa server it does show that the radius server is running but there were no requests whatsoever. And if i do show authentication session it says that the method was N/A and the connected device was also unauthorized + domain is unknown, so i dont think that the switch passed the information to the ise, or the ise could not receive it because of other reasons.

Rob Ingram · ‎04-09-2022

@CasualUser01 well if no requests are being sent the problem is probably the switch rather than ISE. Have you enabled 802.1x globally on the switch - "dot1x system-auth-control"

CasualUser01 · ‎04-09-2022

t